[Freeipa-users] Replicating o=ipaca
Martin Kosek
mkosek at redhat.com
Wed Aug 13 06:32:17 UTC 2014
On 08/13/2014 02:15 AM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 08/12/2014 11:49 AM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> The documentation seems to be a little fuzzy on setting up two
>>>> CAs, some parts indicate this is a bad idea because the CRLs can
>>>> clobber each other, other parts, such as the migration guide from
>>>> RHEL 6.5 to 7 seem to indicate that it is ok, albeit maybe that
>>>> is just for a short time.
>>
>>> It isn't a bad idea to stand up clones, you just need to understand
>>> that this is one of the rare places where all masters are not
>>> equal. One has to be designated as the CRL generator and one as the
>>> CA renewal master. These don't have to be the same but it makes
>>> sense to keep them together IMHO.
>>
>>> The reason to limit CRL generation to one master is the small
>>> chance that you could end up with two CRLs with the same serial
>>> number but containing different certificates. Remember that a CRL
>>> is just a signed snapshot in time of revoked certificates.
>>
>>> Similarly for renewal it is vastly easier to do it on one host than
>>> try to manage the race condition of them trying to renew at the
>>> same time.
>>
>>>> What I am wondering, because I get a little nervous when all my
>>>> data for the CA is on one host (backups aside), is whether there
>>>> is a value, assuming that having two concurrent dogtag instances
>>>> is a bad thing, to replicating the ipaca data in ldap. Just the
>>>> data I mean, would it be possible, having just the LDAP data and
>>>> whatever certs are in the replica file to basically reconstruct a
>>>> CA?
>>
>>> Right, you want at least two CAs for redundancy. Some dogtag guru
>>> could probably stand up a new CA using just the LDAP data and the
>>> certs but I can't imagine it would be easy, even for them.
>>
>>> rob
>>
>>
>> Ok, are there manual steps involved in that or does the --setup-ca on
>> the replica just take care of everything.
>>
>> I certainly hope I am not looking in the wrong place, I just can't
>> seem to find anything definitive in the docs.
>
> --setup-ca does it all for you. Dogtag actually handles the creation of
> the replication agreement so we don't do a lot other than to tell it the
> remote server and provide the initial certs/keys.
>
> You can use ipa-csreplica-manage to view/manage CA replication agreements.
>
> rob
>
Also, in case you choose to for example decommission your current CRL
generator, you can switch that role to other machine using this HOWTO:
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Martin
More information about the Freeipa-users
mailing list